IN THIS CHAPTER
The most peaceable way for you, if you do take a thief, is to let him show himself what he is, and steal out of your company. | ||
| --William Shakespeare, Much Ado About Nothing | ||
This chapter focuses on securing your network from the inside, with the assumption that all your external security efforts are in vain if the inside security is a pushover. Secondly, because “inside jobs” are rarely pretty or welcome, this chapter details some practices that avoid—in the best case—and detect and punish—in the worst case—an intruder in your midst.
It’s probably a good bet that your network perimeter is incredibly more secure than the inside of your network; most networks are “crunchy on the outside, chewy on the inside.” You can probably blame the “firewalls-fix-everything” mentality of the last several years for this. This means that your internal vulnerabilities might very well be the cause of your worst security nightmare.
In fact, although the Computer Security Institute’s most recent “Computer Crime and Security Survey” says that 90% of respondents detected security breaches, the report goes on to say that only 40% of the respondents detected breaches from the outside. Do the math.
NOTE
You can see the executive summary of the Computer Security Institute’s “2002 Computer Crime and Security Survey” at http://www.gocsi.com/press/20020407.html
(See the “Resources” section at the end of the chapter for more surveys, articles, and so on.)
The survey goes on to state that 78% of respondents detected unauthorized access by insiders. Clearly, internal security is a huge problem. The ICSA (International Computer Security Association) agrees, believing that insiders cause 80% of security problems.
NOTE
Stressing that firewalls are not a security panacea, the ICSA outlines some internal security problems in its “Firewall Buyers Guide” at http://www.icsalabs.com/html/communities/firewalls/buyers_guide/chap_2.shtml.
Fine. So breaches of internal security are common. But what’s the worst thing that could happen? What are the risks? More to the point, what can you do about these risks?
Many times, assessing an organization’s internal risks can point directly to the necessity of implementing particular policies. It’s useful to break these risks down into types of harm and vectors.
Some of the common types of harm that you’ll want to consider are:
When we talk about vectors, we’re really talking about the human factor—any type of human action that can introduce harm into your network. The human factor is rather complex; it’s useful to further break down this factor into organizational roles and type of intent.
Some types of intent typically are:
Well-meaning/unwitting—A person accidentally introduces harm into the network
Scofflaw—A person knowingly bypasses security checkpoints
Disgruntled/malicious/opportunistic
The types of organizational roles are:
Members of the public—That is, users of a kiosk, folks who are wandering your building and stumble across an unlocked wire closet, or even people driving by with a wireless network card if you have a wireless network (see Chapter 27, “Wireless Security Auditing.”)
Temporary employees
Departmental users—Each department should really be considered separately, because each can present a different level of privilege and/or risk.
Infrastructure, server, or application administrators
To visualize the way that these two factors interact to generate a level of risk, it’s useful to set them into a chart where the upper left represents the least amount of risk, and the lower right represents the most risk.
Table 5.1. Human Vectors: Degree of Risk
Human Vectors: Degree of Risk | Well-meaning/Unwitting | Scofflaw | Disgruntled/Malicious/Opportunistic |
|---|---|---|---|
Members of public (kiosk, unlocked wire closet) | Least risk | ||
Temporary employees | ↖ | ||
Departmental users (each considered separately) | ↘ | ||
Infrastructure, server, or application administrators | Most risk |
Obviously, a malicious administrator is your organization’s worst nightmare, but gone are the days when “only” IT professionals could rock the network boat. Today’s high-profile security problems, coupled with “script kiddie” exploits and a permissive workstation policy, means that any jerk with an attitude, an IQ of more than 80, and a PC can take advantage of your untended network. To fight back, enact a strong Acceptable Use Policy (AUP); check up on it with auditing and IDS tools; and enforce it. (See Chapter 25, “Policies, Procedures, and Enforcement,” for more info on building an AUP.)
Just about any of your employees could fall into this category under the influence of the hacker strategy of social engineering. Social engineering is the act of using inter-personal skills to get people to give away information that they otherwise wouldn’t. The implication is not widely understood, but yes, some hackers do have social skills.
Their methods can be quite ingenious. Perhaps a hacker notices on some hobby discussion board that a particular mid- to low-level employee is dialing up from an ISP instead of the usual IP block of your company. The hacker might then call an IT admin in the company pretending to be that worker, and explain that he is telecommuting today, his machine crashed and he’s having to reinstall, and he needs to know the VPN (Virtual Private Network) settings. Assuming a large organization and an admin that doesn’t know that employee’s voice very well, she just might give the information out.
The hacker might follow up by calling the main number of your company pretending to be a vendor and requesting to talk to a high-level manager. If the receptionist tells him that the manager is on vacation today, he can ask to leave a voicemail and try to subvert your phone system to send a voicemail on behalf of that manager. In the voicemail, he could tell a system administrator to create a new user account. With a VPN connection and a user account, he then has practically unfettered access to your systems.
That’s just one example. The important thing to take away from this is not the details, but the generalities. Hackers could go on a smoke break by the back door with your employees and sneak inside, then pretend to be a new hire in person. Consider a separate, unpublished phone number for telecommuter tech support. Make sure your phone system is secure. Have photo ID badges for all who are authorized to be in the building—and enforce it. And most importantly, you should train everyone in the company to not give out any information unless they are certain of whom they are talking to, lest they become unwitting victims of social engineering.
Scofflaw employees—that is, employees who want to bypass your normal security measures for their own convenience—can also be a huge problem.
The classic example of a scofflaw employee is one who ignores policy, bypasses the organization’s remote access mechanism, and decides to install a modem and PCAnywhere on her PC—many times without a reasonably good password. All of a sudden, there is an open door from the outside to your internal network—not a good thing.
Other examples include VIP users who do not want their Internet access to be monitored by IT. They therefore bypass corporate firewalls and dial into their own ISPs, which don’t necessarily have the same type of security policies as the organization.
NOTE
I knew one VIP user in particular who bypassed his organization’s email system—a system that scanned inbound and outbound email for viruses. He decided to use a dial-up account with a local vendor that did not have virus protection on the mail gateway.
To make a long story short, his workstation hadn’t received the most recent virus pattern update yet, and one of his cronies sent him a virus that messed up his workstation, necessitating an “emergency” call to the help desk. Scofflaws oftentimes shoot themselves in the foot while they’re putting the organization at risk.
As workstation-based Trojans become more common, bypassing a site’s security checkpoints becomes worse and worse. Consider AOL’s recent problem with a workstation-based trojan; hundreds of member accounts were compromised when employees executed an interesting-looking program that arrived by email:
America Online Inc. acknowledged last week that 200 member accounts were compromised when targeted AOL employees opened infected e-mail attachments. The attachments unleashed a Trojan horse program that created a connection to the employees’ machines, allowing intruders to access password and credit card information. | ||
| --“AOL Investigates Theft of Account Data,”Computerworld, Ann Harrison, June 26, 2000 | ||
These AOL employees were scofflaws in that they ignored an AOL policy: They opened executable content from untrusted sources because it looked less boring than the work that they were doing. Scofflaw users will become more and more of a threat as these types of Trojans proliferate. (See Chapter 18, “Trojans,” for more information.)
You can mitigate this risk somewhat by using desktop management tools to “lock down” the desktop—and in some organizations, this can in fact be appropriate— but in the end, it’s a policy problem, not a technology problem. Desktop management is only effective if the politics of an organization allow it to be.
Bottom line: Top-level management wouldn’t allow a VIP to erect a ladder on the side of the building to bypass corporate security’s checkpoints; it also should not allow anyone to bypass network security’s checkpoints. If top-level management truly understands the parallel, you have a powerful ally in the battle against scofflaws.
Of course, just because “everybody” is now a potential problem doesn’t mean that disgruntled IT workers and coders don’t have their own special set of concerns. More potential privileges mean more potential problems, naturally. Case in point is the oft-cited “logic bomb”:
Although the identification of the first software bomb is not certain, a classic example occurred in 1988 when a Texas firm called IRA suffered the deletion of some 168,000 payroll records from a database. This was shown to have been caused by a logic bomb planted by an employee named Burleson which was triggered 6 months after he left the firm. | ||
| --“Computer Crime: An Historical Survey”, Richard E. Overill, Defence Systems International 98.http://www.kcl.ac.uk/orgs/icsa/Staff/overill.htm | ||
System administrators and network infrastructure administrators can also be part of the problem—but they can also be part of the solution. If you have more than one hand in every pot, it’s a lot harder for one person to leave back doors, plant subversive code, and so on. That is, collaborative practices mean that systems and code are always subject to someone else’s review (see the next section, “Risk Mitigation Policies”)—which means that you can nip problems in the bud. (See also Chapter 13, “Logging Tools.”)
You’ll want to establish clear, written policies in partnership with your organization’s management team. This partnership can’t be emphasized enough—a policy without teeth might as well never have been written. You’ll want to
Establish good physical security for all infrastructure—no matter how insignificant a piece of infrastructure might seem.
Get management to build some level of concern for network security into the hiring process.
Explicitly forbid bypassing security checkpoints (such as firewalls, remote access servers, and so on) in your AUP.
Establish desktop management policies as they relate to virus/Trojan protection and levels of workstation lockdown.
Encourage small teams of administrators to collaborate. If there’s more than one administrator watching the henhouse, it’s less attractive to the fox.
Employ intrusion detection systems (IDSs, see Chapter 12, “Intrusion Detection Systems”), being careful to employ those that can handle high-bandwidth internal networks.
Audit your systems and procedures periodically. (See Chapter 11, “Vulnerability Assessment Tools (Scanners),” and Chapter 13.
Maintain current levels of operating systems and applications—vendors usually patch script kiddie exploits rather quickly. (See Part V, “Architecture, Platforms, and Security,” for more information on maintaining current levels.)
It’s actually pretty easy to practice due diligence with physical security. You’ve just got to be meticulous and consistent, and take it seriously. Pretend that someone could burglarize you personally if you’re not careful. It might help to pretend that you live in New York.
In all seriousness, physical security is where the battle can easily be lost—although it can’t be totally won with just physical safeguards. Little things like the capability to reboot a server from a floppy, or finding an unused username on a printout—or even finding a tape with a copy of a security database on it—make an intruder’s job easier. Let’s make it hard.
Here are some “dos” and “don’ts” that will make your job a little easier, an intruder’s life a little harder, and your data a little more secure:
DO lock every wiring closet—and keep them locked.
DO use switches rather than hubs, especially for LAN segments that have administrative users on them. (They still must be physically secure to ensure that someone can’t access the switch and packet sniff via port mirroring.) The price differential between hubs and switches has come down dramatically in recent years.
DO change locks or door passcodes, and passwords to any shared accounts immediately when employees leave.
DO erase hard drives, flash, and so on, when you take them out of service. Nobody’s going to remember to do it before the surplus auction, and all sorts of passwords and/or sensitive data might be on them.
DO write nonsense data to magnetic media when you are erasing it. Dropping a partition table is NOT good enough. (Degaussing is okay, though.)
DO use a paper shredder. Don’t laugh. Dumpster diving is more common than you think.
DO lock your server cabinets when you’re not using them.
DO restrict or forbid the use of modems on desktops; they are the number one method of bypassing your organization’s security checkpoints.
DO make sure that any “road” laptop or PDA has appropriate data protection software and hardware installed before deployment.
DO consider whether user access to floppy disks or other removable media make sense for your environment; they constitute a possible bypass of your security checkpoints.
DO consider the use of smart cards/token-based security devices rather than passwords for administrative users or sensitive systems. Many operating systems now support token-based authentication in addition to passwords.
DO remember that your phone PBXs must also be secured.
DON’T send off-site backups to unsecured locations.
DON’T give keys to vendors. Let them in to do their work, and then politely wave bye-bye when they leave.
DON’T allow anyone other than key personnel ad hoc access to the data center.
DON’T share wire closets with user-oriented peripherals such as printers.
DON’T put servers into unsecured areas.
DON’T leave server keys attached to the back of a server. Believe it or not, other people will think of this, too.
DON’T let cleaning people—or other untrusted service people—into secured areas without an escort.
DON’T store any sensitive data on user hard drives—if you must, think about hard drive encryption products.
DON’T discuss passwords or other sensitive information over unsecured channels such as cell phones, cordless phones, 800MHz radios, or instant messaging.
DON’T put consoles, keypads, or administrative workstations near windows.
Naturally, J. Random Hacker isn’t going to show up and reveal his otherworldly activities at a job interview. And even doing background checks can turn into nothing more than lip service, depending upon who’s doing the checks—and whether the individual has been caught in the past.
Still, there are things you can do to minimize your risks during the employment process. Start out by doing a “due diligence” background check—particularly for employees that will be involved in any level of IT. Do your homework and use a reputable agency to do your background checks—as with anything else in computing, “garbage in, garbage out.” If you are using an internal HR check or some other check that you don’t get invoiced for, communication is the key. Don’t assume that silence from your background check folks means “Everything is OK.” Lack of “NACK” (Negative ACKnowledgement) does not mean “ACK.” It might simply mean that your request form got thrown out with lunch’s pizza box. See http://www.nwc.com/1201/1201colfeldman.html for more discussion of the hiring process.
After you’ve worked with management to establish an Acceptable Use Policy, your next step is to work with HR to integrate it as part of the employment process for any employee. You want it integrated for two reasons: First, because it sends a message, and might dissuade an employee from snooping or fiddling where she doesn’t belong. Second, if termination or disciplinary action is necessary because of AUP violation, it’s definitely a lot easier to do if you have an “I-have-read-and-understood-this” AUP to back you up.
Lockdown, in the desktop management context, means that you’ve managed to apply the straps to your users in such a way that they can’t hurt themselves—or your network. In the best case, this is done in such a way that the users don’t feel constricted or stifled. Having a heart-to-heart with management about the level of lockdown can only be a good thing. Users get extremely irrational about losing any amount of autonomy, and you will definitely want management to buy into any lockdown that you need to enact.
It should be pointed out that desktop management—any desktop management—that resides on a local workstation can be bypassed by a clever user, unless there is serious physical security in place (no floppies, an “unpickable” case lock, and so forth). This, of course, is the type of security that you must have if you have public information terminals, kiosks, and so on. The point is that any workstation that isn’t physically secured can usually be booted from alternative media, and then the local OS can be modified to a malicious user’s heart’s content.
Still, desktop management and lockdown for nonpublic users are important due diligence measures, and definitely should not be skipped. The important thing here is to prevent either well-meaning or scofflaw users from hurting themselves and others. Defeating a truly noncasual and malicious user isn’t the primary purpose of desktop management.
TIP
As far as manual procedures go, you can see some sample system lockdown checklists at http://www.nswc.navy.mil/ISSEC/Form/index.html.
Virus protection, of course, is a mandatory component to desktop management. Virus protection is (or should be) such second nature to today’s IT staff that we mention it here simply to ask one question: Can the user turn off virus protection?
Some virus protection suites let the user do this; others password-protect the entire control panel. You should certainly password-protect the control panel if possible, but you should also enact desktop management policies that check and re-install virus protection if the workstation’s otherwise permissive operating system allows its removal.
Good desktop management tools enable you to not only “force” certain applications, but they can also
It used to be that IT managers were only worried about what users were able to download; that is, folks were concerned about employee abuse of the Internet. At the time, there wasn’t technology to check what the actual downloaded content was—so managers contented themselves with blocking sites based upon where the user tried to surf. Certain software manufacturers also became service organizations (notably Cyber Patrol, discussed later in this chapter) that maintained a list of URLs in certain categories: adult-oriented, comedy, shopping, news, and so on. As a manager, you could then block various categories with a perimeter device that had access to these lists.
This strategy, however, wasn’t complete in and of itself. Objectionable sites surface overnight, and the list didn’t always reflect reality. And, filtering outbound URLS does nothing to fight questionable content that leaves your site.
Because one of the risks to your organization is the unauthorized disclosure of content (customer lists, intellectual property, and so on), one of the hottest topics in corporate security today is that of content management (also called content filtering, content services, and content restriction). Content management works in conjunction with your perimeter security devices. The software can perform lexical analysis, pattern matching—even image recognition. (Yes, those images.)
Another risk faced by your organization is the transmission of inappropriate content (pornographic, libelous, or otherwise offensive data) or dangerous content (such as Trojans and viruses) to business partners. You’d have to be nuts to think that any tool could totally eliminate the possibility of inappropriate content making it through your checkpoints. But content management tools can limit the possibility. Virus gateway protection software is one example of specialized content management.
Some vendors label their products as content filters, when in fact they are site filters or URL filters. Again, rather than checking the data stream for objectionable content, they check the Web address against a categorized list of known Web sites. Site filtering has merit. It can definitely decrease the amount of day trading/time-wasting/ non-work-related surfing at your organization—but it’s not content filtering. It is only as effective as the folks who update the lists. And, site management doesn’t do anything for your intranet.
That said, content management tools fall into two categories: those that offer generic content-checking services to the network, and those that operate solely on a specific application.
Those that offer generic content services tend to do it via CheckPoint Software’s CVP (Content Vectoring Protocol). CVP accepts a connection from a client, proxies the request to the server, scans the content, and either modifies or denies the request when content does not pass muster.
There is not yet an RFC-based content restriction protocol that has been widely implemented. If you’re not using Firewall-1 or another firewall that supports CVP, you might have to purchase individual products that separately monitor Web content (HTTP), email (SMTP), news (NNTP), and FTP.
You’ll also probably have to put up with some degree of false positives—yet another thing to administrate. For example, content filters commonly block Network Computing’s “Centerfold,” a showcase of innovative companies’ networks.
Still, content filters can be worthwhile, if you target and configure them correctly. See the section “Products,” later in this chapter for a sampling of content-filtering tools. Look for content management to change and grow in the next couple of years; hit the Web or magazines like Network Computing for the latest scoop.
At first, administrative collaboration doesn’t seem like much of a security practice. How can teamwork make your internal network a safer place?
First, consider that any illegal or unethical action involving partners automatically means that there are witnesses and possible leads to an investigation. As Benjamin Franklin said, “Three can keep a secret if two of them are dead.”
Secondly, take the case where there is no explicit partnership during a questionable activity. The fact that there is another administrator who has responsibility for the system involved means that the system itself is under scrutiny. The fact that there is third-party scrutiny of the system might discourage the perpetrator in the best case, or at least lead to discovery of the questionable activity.
You should be careful, however, to avoid assigning too many hands to any given pot. Not only can this lead to system chaos, but it also can make unethical activity harder to trace, either during an incident or an audit. You definitely want a limited pool of individuals accountable for a given system.
Products change all of the time—you’ll want to check the latest industry magazines and Web sites to make sure that you’ve got the latest options in front of you. The following sections list sample products in various categories so you can get off on the right foot.
Product: LANDesk
Company: Intel
URL: http://www.intel.com/network/products/landesk/products/ilms/
Description: Platform-agnostic desktop management; works with Win9x, WinNT/Win2K, Netware, and Linux.
When a portable device walks away, it’s not pretty; the loss of the device is nothing compared to the potential loss of sensitive information. Although “password-at-power-up” is popular, it is not a good solution after someone has stolen your device; use real data encryption instead. There are a huge number of options, and it’s not our intention here to offer a complete buyer’s guide. Rather, this is a starting point. When you’re looking to buy portable device security solutions, consider the following points:
Physical tokens are available—. If the device will be used in a public place, there is always the risk of someone “keystroke watching” during password entry, and later stealing the device.
What type of encryption is used—. Some vendors use a proprietary algorithm that hasn’t been publicly examined for flaws. Stay well away from these, as well as those algorithms that use “obscuring” tactics like XOR (bit-complement), which are not secure.
Product: MemoSafe
Description: MemoSafe uses the public domain SAFER-SK cipher to encrypt your MemoPad memos.
Product: ReadThis!
Company: PixIL
Description: A module that requires HackMaster, and encrypts arbitrary Palm records. Beware, as the default method is XOR—as stated previously, not a secure method. Fortunately, an externally available IDEA encryption module is available. Source is only available for the external module.
NOTE
If you use Unix or Linux on laptops, see the section “Resources” later in this chapter for a paper describing encrypted file systems such as cfs, sfs, cryptfs, and so on.
Product: Barracuda Anti Theft Devices
Company: Barracuda Security Devices International
Description: Barracuda’s flagship product is a PC card that is inserted into an expansion slot; it monitors all computer components. You are paged when any component is tampered with or removed. A terribly shrill alarm goes off as well.
Product: Modem Security Enforcer
Company: IC Engineering, Inc.
Description: Modem Security Enforcer includes callback authentication, password protection, firmware password storage (inaccessible to internal users), nonvolatile memory storage settings, and a completely configurable interface. There is a 9600bps version and a 19,200bps version.
Product: Various
Company: CheckPoint
URL: http://www.opsec.com/solutions/sec_content_security.html
Description: List of companies and products that have partnered with CheckPoint, and use CVP (Content Vectoring Protocol) as a central service for content scrutiny.
Good internal security amounts to doing the same things you do for external security, and practicing due diligence with regard to self-auditing and policy enforcement. There are tools that can help, such as auditing tools/security scanners, content filtering tools, desktop management, and IDS, but in the final analysis, no tool can replace meticulous and sharp-eyed individuals.